I was doing some scanning with a new vulnerability scanner at work. It found something listening on a lot of servers, described only as Apache and OpenSSL listening on TCP port 2381. The versions varied.
Luckily I also had Qualys at my disposal, and scanning with Qualys solved the mystery for me quickly. It turned out to be the HP System Management Homepage, a remote administration/diagnostic tool that, as the title says, lets you manage HP server hardware. It runs on Windows, Linux, and HP-UX.
There’s nothing wrong with running the HP System Management Homepage. Well, there’s nothing wrong as long as you’re actually using the functionality it provides, and you’re keeping it up to date.
The open-source components it’s built from occasionally need updating. When that happens, HP releases a new version. In 2014 it was pretty darn often thanks to the numerous problems with OpenSSL.
How to secure TCP port 2381
If your vulnerability scanner doesn’t provide guidance on updating the HP System Management Homepage, you can download the newest version at this link.
Any time you hear of a vulnerability in Apache, PHP and/or OpenSSL, start checking back there periodically for new versions. It can take a little time for HP to issue a new version, but eventually they will. So you want to always stay at the newest, least vulnerable, least bad version. That’s the only way to stay safe.
Actually, there is an alternative. If you don’t use the functionality, disable and uninstall it. It’s consuming memory and if you’re not using it, you’re probably not maintaining it either. In that case it’s just another attack vector for systems that scarcely need another one.
It’s also not outside the realm of possibility that you have servers that started out on HP hardware, then got virtualized at some point. So you may have the HP System Management Homepage running on virtual hardware. If that’s the case, remove it. It’s not doing you any good.
How to scare people with TCP port 2381
Vendor-specific and vendor-provided software is something almost everyone overlooks, so it can provide convenient places for attackers to hide. If you want to do well in a job interview for a security position, be sure to mention that. There’s a good chance your interviewer hasn’t thought of it. There’s also a good chance nobody else interviewing for the position has either.
That’s the mystery of TCP port 2381. Now you know what it is. You also know what you need to do about it.